[nsp-sec] AS Path Forging - Observations from an incident

David Freedman david.freedman at uk.clara.net
Thu Jan 8 13:33:07 EST 2009 

Well, could each AS participant model current traceroutes  and then the system could (in the background) look for deltas and alert operators, who would then have to confirm that they are happy with them (then the system could learn what paths are tolerated)

Dave.


------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net



-----Original Message-----
From: nsp-security-bounces at puck.nether.net on behalf of Stephen Gill
Sent: Thu 1/8/2009 18:11
To: Hank Nussbacher; nsp-security at puck.nether.net
Subject: Re: [nsp-sec] AS Path Forging - Observations from an incident
 
----------- nsp-security Confidential --------

Hi Hank,

> An idea: I have tried Traceroute Mesh:
> http://jlh.nightmist.co.uk/tr.php
> http://www.robandmollie.com/tr/tr.php
> http://tr.meta.net.nz/tr.php
> 
> If you choose an IP that you believe has been hijacked, you can view a
> graphic of all the traceroute hops (map) and if any of the paths go where
> it shouldn't be going, then you have a hijack. Problem is the various
> traceroute mesh servers are located at small mom & pop sites and are slow
> and unreliable.
> 
> What if we (nsp-sec) were to create a closed, secret traceroute mesh so we
> can check whether a prefix has been hijacked?  This would only be used
> when a hijack is taking place and is not useful after the fact.
> 
> How does this idea sound?  Would various nsp-sec members be willing to
> contribute their servers?  Team Cymru want to get involved?

All great suggestions!  Stay tuned, we have already been noodling on some
ideas along this front and will keep you posted...

Along with your original question - what are some metrics you would use to
detect this automatically, rather than requiring a human to know and query
for it in the first place?

Cheers,
-- steve

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com




_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list